Method to grant modification rights for a smart card

ABSTRACT

A Modification device ( 5 ) is designed to modify an application (A 1 , A 2 , A 3 , A 4 ) run by a data carrier (S), wherein a first key information item (K 1 ) is stored in the data carrier (S) and an associated second key information item (K 2 ) is stored in the modification device.

The invention relates to a granting method to grant a modificationdevice a modification right to modify an application in a data carrier.

The invention furthermore relates to a data carrier for running at leastone application.

The invention furthermore relates to a modification device for modifyingan application in the data carrier.

Such a data carrier is disclosed in the document EP 0 935 214 A, inwhich case the data carrier is formed by a smart card. Computer means ofthe data carrier are designed to run a number of applications orsoftware programs. The known data carrier may for example run a bankingapplication, running of which makes it possible for amounts of money tobe loaded onto the data carrier at a cash machine and used to pay in ashop. Furthermore, the known data carrier could run a patientapplication, running of which makes it possible for patient data to beread and amended by doctors and medical insurance companies. A largenumber of other applications, such as credit card applications or carpark ticket applications for example, are known to the person skilled inthe art.

When, using a data carrier of this type which runs credit cardapplications, a payment is to be made at a credit card terminal, then,in order to verify the validity of the data carrier, a data carrieridentification information item that identifies the data carrier iselectronically transmitted by the credit card terminal to what is knownas a trust center. The trust center checks the validity of the datacarrier identification information item and, if the result of the checkis positive, electronically outputs a validity information item to thecredit card terminal.

In the known data carriers, the applications are installed or stored instorage means of the data carrier at the time of manufacture of the datacarrier, or in any case before they are issued to users of the datacarrier. If a number of applications have been installed on a datacarrier, it must be ensured that the applications are run in a mannerdistinctly separate from one another and that undesired reciprocalaccesses to data that is perhaps secret or security-related (e.g.amounts of money, patient data) are prevented. Appropriate precautionsare disclosed in EP 0 935 214 A. Moreover, when modifying an applicationthat is run or is to be run in a data carrier, it must also be ensuredthat other applications run by the data carrier are not adverselyaffected. Furthermore, it must be ensured that only persons or devicesthat are authorized to modify applications gain access to the storagemeans of the data carrier. In addition, the identity of the data carriermust be verified without doubt prior to installing the application, inorder that the application is not stored on a different data carrierthat is used by third parties.

It is an object of the invention to provide a granting method of thetype mentioned in the first paragraph, a data carrier of the typementioned in the second paragraph and a modification device of the typementioned in the third paragraph, in which the above-describedprecautions have been taken. To achieve the above object, the followingmethod steps are provided in such a granting method:

generation of a first key information item and of an associated secondkey information item for one or more data carriers identified by a datacarrier identification information item;

granting of the modification right for data carriers identified by thedata carrier identification information item by outputting of the datacarrier identification information item and of the associated second keyinformation item to the modification device;

checking of the association of the first key information item stored inthe data carrier with the second key information item in the datacarrier that was output to the data carrier by the modification deviceand, if the result of the check is positive;

allowing of the modification of the application in the data carrier bythe modification device.

To achieve the above object, such a data carrier is characterized by thefollowing features: computer means for running the at least oneapplication, where information items communicated via the interfaces orinformation items stored in the data carrier are processed, and having

storage means for storing a first key information item and an associateddata carrier identification information item that identifies the datacarrier, and having

checking means for checking a modification right of a modificationdevice to modify an application in the data carrier via the interface,where the checking means are designed to check the association of thefirst key information item stored in the storage means with the secondkey information item output to the data carrier by the modificationdevice, and having

modification means which, following confirmation of the modificationright of the modification device by the checking means, are designed toenable modification of the application in the data carrier by themodification device.

To achieve the above object, such a modification device is characterizedby the following features: at least one interface for the contactlessand/or contact communication of information items to a data carrieridentified by a data carrier identification information item, and having

storage means for storing at least one data carrier identificationinformation item that identifies a data carrier, and an associatedsecond key information item, and having

computer means for modifying applications in data carriers via theinterface where, in the course of communication with a data carrieridentified by a stored data carrier identification information item, themodification right of the modification device is output to the datacarrier by communication of the second key information item associatedwith this data carrier identification information item, whereupon,following confirmation of the modification right by the data carrier,the modification device is authorized and designed to modify theapplication in the data carrier.

By means of the features according to the invention, the situation isachieved that, for data carriers which are identified by a data carrieridentification information item, a respectively associated first andsecond key information item can be generated. The first key informationitem and the data carrier identification information item are stored inthe data carrier and the second key information item and the datacarrier identification information item are output to a modificationdevice. As a result, the modification device obtains the modificationright to modify one or more applications of the data carrier or carriersidentified by the data carrier identification information item.Modification of an application of a data carrier in this case means theinitial installation of the application on the data carrier, theupdating (e.g. new version) of an application that is already installedon the data carrier, and also the deletion of an application from a datacarrier.

The modification device may thus advantageously, at a time when the datacarriers have already been issued to users, modify applications of thedata carriers for which it has acquired the modification right byobtaining the data carrier identification information item and theassociated second key information item. The acquiring of themodification right may be connected with the payment of a fee for themodification right, whereby an interesting business method is obtained.In this case, it is particularly advantageous that the modification ofan application of a data carrier can take place in the course ofcommunication of the data carrier with the modification device, withouta trust center having to be contacted in order to confirm themodification right.

According to the measures of claims 2 and 11, the advantage is obtainedthat the modification right can authorize the modification device, forexample, only to install a new application, but not to update or deletethe application. Likewise, the modification right could authorize themodification device only to delete an application and where appropriatealso at the same time to install a new application in the storage areaof the storage means in the data carrier which has become free as aresult of the deletion. If a new version of an application is to beinstalled in place of the old version of the application on all datacarriers that have already been issued to users, then a correspondingmodification right could be issued by the operator of the application(e.g. barking application) to the operators of modification devices(e.g. cash machines). A large number of such advantageous uses are madepossible, with it being possible for the acquiring of the modificationright to be connected in each case with services in return, whereby aninteresting business method is obtained.

According to the measures of claims 3 and 12, the advantage is obtainedthat, by means of the modification right, that is to say by means of thedata carrier identification information item and associated second keyinformation item, the application which may be modified is identified.For a data carrier that runs two applications, it is thereforeadvantageously possible for the above-described different modificationrights (install, update, delete) to be granted for each of the twoapplications.

According to the measures of claims 4 and 13, the advantage is obtainedthat a modification right can be granted to install a new application inthe data carrier, with the new application not requiring more than amaximum amount of storage space (e.g. 1 kBit) in the storage means. As aresult, a particularly interesting business model is obtained in whichstorage space can be sold in data carriers that have already been issuedto users. Thus, a credit card manufacturer could reserve, in the storagemeans of his credit card, storage space for future applications and,when a large number of credit cards have already been issued to users,sell this storage space in the form of corresponding modification rightsto one or more companies in order to also run their applications (e.g.customer loyalty card, electronic car park ticket) using the creditcard.

According to the measures of claim 5, the advantage is obtained that,using only one modification right formed by only one data carrieridentification information item and only one second key informationitem, an application can be modified in a group of data carriers, wherethe data carriers are all identified by the same data carrieridentification information item.

According to the measures of claims 6 and 14, the advantage is obtainedthat a modification right identifies specific access rights of theapplication that is to be modified. For example, a modification rightcould be granted for a credit card, which modification right authorizesthe installation of an application that may use only the contactinterface and not the contactless interface and exclusively permitsreading rights in specific storage areas that are common to allapplications of the credit card.

According to the measures of claim 7, the advantage is obtained that themodification right can modify access rights for some or all of theapplications run by the data carrier to interfaces or storage areas, bymeans of a second master key information item that is associated withthe first master key information item stored in the data carrier.Likewise, using the master key information items, a new first keyinformation item could be generated and stored in the data carrier and anew second key information item could be generated and stored in themodification device, in order to be able to modify another application.

According to the measures of claim 8, the advantage is obtained that,using the master key information items, the modification of the accessrights and/or the generation of key information items can be restrictedto just one specific application.

According to the measures of claim 9, the advantage is obtained that, inaddition to the checking of the key information item by the datacarrier, specific properties of the application that is to be modifiedare checked before modification of the application is enabled. In thiscase, for example, the operator of the application could store a thirdkey information item in the application, the correctness of which ischecked prior to modification of the application by the data carrier.

According to the measures of claim 15, the advantage is obtained thatwhat are known as Java applets can particularly advantageously be run bydata carriers.

According to the measures of claim 16, the advantage is obtained thatthe modification device can be formed by an operator computer of theoperator of an application and by a reading device (e.g. cash machine),which are connected to one another over a data network (e.g. Internet,company network, telephone network, etc.). In this way, a large numberof advantageous uses are made possible.

The invention will be further described with reference to examples ofembodiments shown in the drawings to which, however, the invention isnot restricted.

FIG. 1 shows a data carrier in which a modification device is installinganother application.

FIG. 2 shows a modification method for modifying an application in thedata carrier shown in FIG. 1.

FIG. 1 symbolically shows the manufacturing process H for a smart card Swhich forms a data carrier and which, after the manufacturing process His complete, is designed for contactless communication with a terminal 1and for contact communication with a reading device 2. During themanufacturing process H, an integrated circuit is incorporated into aplastic card and connected to an antenna 3, for contactlesscommunication, and to a contact bank 4, for contact communication. Sucha manufacturing process H has been known for a long time and istherefore not discussed in more detail here.

FIG. 2 shows a granting method E to grant a modification device 5 amodification right to modify an application in the smart card S. In thiscontext, application is understood to mean the nature of the use (e.g.as credit card, as museum entrance ticket, etc.) of the smart card S andthus computer means 6 of the smart card S are understood to mean thosewhich run a software program to make this use possible.

In the manufacturing process H for the smart card S, one or moreapplications, or the corresponding software programs, are stored instorage means 7 of the smart card S. Furthermore, during themanufacturing process H, each smart card S is given a data carrieridentification information item, that is to say, according to thisexample of embodiment, a progressive serial number ID, which is storedin security storage means 8 of the smart card S and is used tounambiguously identify each smart card S. The serial number ID is inthis case formed by a binary bit combination having 64 digits, and thesecurity storage means 8 are formed by an area of the storage means 7that is particularly well protected against hacker attacks.

According to block B1 of the granting method E, during the manufacturingprocess H a computer C generates a first key information item K1 and anassociated second key information item K2 for each smart card Sidentified by its serial number ID. Furthermore, for some or all of thesmart cards S identified by a serial number ID, a first master keyinformation item MKI1 and a second master key information item MKI2 aregenerated, as described in greater detail below. The key informationitems K1 and K2 and also the master key information items MKI1 and MKI2may in this case be formed by what are known as symmetric binary keys orby what are known as asymmetric binary keys, as has long been known tothe person skilled in the art. The person skilled in the art also knowsother encryption methods having in each case two key information items,which can likewise be used in this connection.

The first key information item K1 generated by the computer C, and thefirst master key information item MKI1 which may also have beengenerated, are stored in the security storage means 8 of the smart cardS in a manner associated with the serial number ID of the smart card Sand are processed by a security application AS run by the smart card S,as described in more detail below. Possibly all information itemsgenerated by the computer C, but in any case the serial number ID, thesecond key information item K2 and the second master key informationitem MKI2 which may also have been generated, are stored in securitystorage means 9 of the manufacturer of the smart card S. The informationitems stored in the security storage means 9 can then subsequently beused to grant modification rights to modify applications in the smartcard S, as will be described in detail below with reference to examplesof embodiments.

According to a first example of application, it is assumed that themanufacturer of the smart card S manufactures a million smart cards Sfor a credit card company. For this purpose, during the manufacture ofthe smart cards S, an item of credit card software is stored in thestorage means 7 and run by the computer means 6 as first application A1.During manufacture, the serial number ID=“123 . . . 84”, the first keyinformation item K1=“2 . . . 4” and the first master key informationitem MKI1=“88 . . . 3” are stored in the security storage means 8 of thesmart card S. The serial number ID=“123 . . . 84”, the second keyinformation item K2=“3 . . . 5” associated with the first keyinformation item K1 and the second master key information item MKI2=“99. . . 4” associated with the first master key information item MKI1 arestored in an associated manner in the security storage means 9 of themanufacturer. An effective connection W indicates that all the smartcards S that are generated are issued to customers of the credit cardcompany. Thereafter, the smart cards S are used to pay for transactionsin shops, as is generally known.

When manufacturing the smart cards S, care was taken to ensure that thestorage means 7 still have sufficient additional storage space evenafter the writing in of the credit card software. For example, thecredit card software could occupy 3 kBits of the storage space of thestorage means 7 and the security storage means 8 could occupy 4 kBits,with 17 kbits of the storage means 7 still remaining free, said storagemeans 7 being 24 kBits overall and being formed by an EEPROM.Furthermore, the computer means 6 have been dimensioned in terms oftheir computing power such that up to four applications A1, A2, A3 andA4 can be run in parallel or in a manner offset in terms of time.

According to the example of application, it is now assumed that a largedepartment store chain would like to issue customer loyalty cards to itscustomers, in order to provide these customers with particular sales orrefund conditions. Since a large number of customers of the departmentstore chain pay for their purchases using the smart cards S of thecredit card company and it is more convenient for the customer not tohave to carry yet another card with him as the customer loyalty card,the department store chain acquires from the credit card company amodification right to install their customer loyalty card software onthe smart cards S as a second application A2.

At a block B2 of the granting method E, the department store chain, asfuture operator of the application A2, asks the credit card company orthe manufacturer of the smart cards S for a modification right and paysthe purchase price necessary for this. In this case, the departmentstore chain is essentially buying the storage space in the storage means7 of all the smart cards S already issued to customers, in order tostore the customer loyalty software in the storage means 7. The purchaseprice will in this case be dependent on the storage space requirementand on the number of smart cards S issued to customers. Furthermore, thepurchase price can be made to be dependent on which interfaces—eitheronly the contactless interface or only the contact interface or bothinterfaces—are required by the second application A2, and also on thecomputing power that will be necessary in order to run the secondapplication A2. In addition, the purchase price will depend on whethermaster key information items have also been generated for the smartcards S and on whether the second master key information items MKI2 arebeing purchased at the same time. An interesting business model is thusobtained by the purchasing of modification rights.

Once the credit card company or the manufacturer of the smart cards Shas reached agreement with the operator of the second application A2,that is to say the department store chain, at a block B3 themodification rights, that is to say the serial numbers ID together withthe associated second key information items K2 for each smart card S andwhere appropriate also the second master key information items MKI2, aretransmitted to an operator computer 10 of the operator of the secondapplication A2. This transmission can—as shown in FIG. 1—take place overa data network NET, where the most stringent security precautions mustbe taken, for example by contacting a trust center, in order to preventthe modification rights being acquired by unauthorized persons. However,the modification rights could also be transmitted manually, by thehanding over of a CD-ROM, hard disk or DVD that has the correspondinginformation stored on it to the operator of the application A2. Themodification rights are then available in the operator computer 10.

According to the example of application, it is assumed that, forsecurity reasons, only the contact interface of the smart cards S is tobe used for the purpose of installing the second application. For thispurpose, the modification device 5 for installing the second applicationis formed by the operator computer 10 and a large number of readingdevices 2 connected to the operator computer 10 over a data network NET.As soon as a customer would like to pay for his goods using the creditcard application of the smart card S and the salesperson inserts thesmart card S into the reading device 2, the process of installing thesecond application on the smart card S begins at a block B4.

At the start of the installation process, the smart card S transmits itsserial number ID via interface means 11, the contact bank 4 and acontact bank 12 of the reading device 2. A computer stage 13 of thereading device 2 transmits the serial number ID to the operator computer10, which then checks whether the smart card S is a valid smart card S.Where necessary, the smart card S could encrypt a code word using itsfirst key information item K1 and transmit it via the reading device 2to the operator computer 10, which encrypted code word can be decryptedin the operator computer 10 only by means of the associated second keyinformation item K2. This checking of the validity of the smart card Sserves to prevent the second application A2 from being installed on aninvalid smart card S.

Once the validity of the smart card S has been determined at the blockB4, then the installation of the second application A2 is continued at ablock B5 and otherwise terminated. At the block B5, the second keyinformation item K2 associated with the serial number ID of the smartcard S in the operator computer 10 is determined and output to thesecurity application AS of the smart card S via the reading device 2.Where necessary, the second key information item K2 can also beencrypted for security reasons. The security application AS then checks,at a block B6, whether the first key information item K1 stored in thesecurity storage means 8 is associated with the second key informationitem K2 output by the modification device 5, it being determined whetherthe modification device 5 has a modification right to modify or toinstall the second application A2.

If the result of the check at the block B6 shows that the modificationdevice 5 is authorized to install the second application A2, then thesecond application A2 is stored in the storage means 7 of the smart cardS at a block B7. To do this, the operator computer 10 transmits thesecond application A2 via the reading device 2 and the smart card Sallows the reading device 2 access to the storage means 7 to a certainextent. The extent or nature of the modification of the secondapplication A2 by the modification device 5 is in this case determinedby the nature of the modification right, that is to say by the secondkey information item K2, and is ascertained by the security applicationAS in the smart cards S.

The modification right may authorize the operator of the secondapplication A2 to install the second application A2 in apart of thestorage means 7 that is limited in terms of its storage space (e.g. amaximum of 5 kBits). This ensures that there is actually enough storagespace in the storage means 7 for four applications A1 to A4.

Furthermore, the access rights of the second application A2 to storageareas of the storage means 7 that are common for the applications and tothe interfaces of the smart card S can be determined by the modificationright. In this case, the customer loyalty card application could forexample use only the contactless interface for the communication ofcustomer data and refunds.

Furthermore, the modification right may determine which type ofmodification of an application can be carried out by the modificationdevice 5. In this case, the modification device 5 could be authorizedonly to replace the second application A2 by a newer version of thecustomer loyalty card application or to replace it by a completelydifferent second application A2. Likewise, the modification right couldallow exclusively the deletion of the second application. Likewise,combinations of these possibilities or all these possibilities may bepossible with only a second key information item K2.

Furthermore, the modification right may or must also identify theapplication which may be modified, in order to prevent, for example, awrong application from being deleted from the storage means 7 of thesmart card S. However, the modification right may also identify only aspecific storage area in the storage means 7, in which storage area anymodification or a prescribed modification may be carried out.

If the first master key information item MKI1 has been stored in thesmart card S and if the associated second master key information itemMKI2 for the smart card S has been output to the modification device 5,then the modification device 5 can modify access rights in the smartcard S and/or generate further first key information items K1 in thesmart card S and further second key information items K2 in the operatorcomputer 10. It is assumed that the department store chain no longerwishes to use only terminals 1 that communicate contactlessly tocommunicate customer data, but rather would also like to use the readingdevices 2 which communicate in a manner that requires contact. However,since the second application A2 at the time of its installation was onlygiven access rights to the contactless interface (interface 11 andantenna 3), this is not possible. The modification device 5 can makecontact, by encrypting an access right modification command using thesecond master key information item MKI2 and transmitting the encryptedcode to the smart card S, to the effect that the security application ASascertains the modification right of the modification device 5 bydecrypting the received code using the first master key information itemMKI1 stored in the security storage means 8, and executes the accessright modification command. As a result, the second application A2 gainsaccess both to the contactless interface and to the contact interface inthe smart card S. It is thus advantageously possible, even in the caseof applications which are run by smart cards S already issued tocustomers, for the access rights to interfaces and likewise to storageareas of the storage means 7 to be modified.

Furthermore, the case may arise where the first key information item K1stored in the security storage means 8 has already been used to modifyan application or has been discovered by hackers and thus can perhaps nolonger be used. In this case, a new first and second key informationitem can be generated by the operator computer 10, where the new firstkey information item could be transmitted as code to the smart card S ina manner encrypted using the first master key information item MKI1. Thesecurity application AS of the smart card S could then decrypt thereceived code using the second master key information item MKI2,whereupon the new first key information item could advantageously bestored in the security storage means 8 of the smart card S to modifyanother application.

The first master key information item MKI1 and the second master keyinformation item MKI2 could also be generated such that it is notpossible to make modifications that relate to the smart card S as awhole but rather it is only possible to make access right modificationsthat relate to just one application or to generate new key informationitems for just this one application. It could hereby be ensured thatcertain critical applications (e.g. credit card application, bankingapplication, etc.) can in no way be modified, that is to say not even bymeans of a master key information item, since the right of the masterkey information items would be restricted to other applications.

As a further security precaution, it could be defined that themodification of the application in the smart card S by the modificationdevice 5 of the smart card S is only permitted when specific propertiesof the application that is to be modified are determined. For example, afurther key information item which is perhaps not even known to themanufacturer of the smart card could have been inserted into theapplication by the operator of the application, the hidden further keyinformation item of which forms a property of the application. The smartcards S would then permit a modification (e.g. deletion) of thisapplication that is stored in the smart card S by the modificationdevice 5 only when the modification device 5 transmits to the smart cardS a key information item that is associated with the further keyinformation item. The advantage is hereby obtained that the operator ofthe application can take further security precautions for itsapplication.

According to a second example of embodiment which is not shown in thefigures, the user of the smart card S could own a computer together witha connected contactlessly communicating terminal, which in this caseforms a modification device. According to the second example ofembodiment, the computer is connected via the Internet to a server of amessage transmitter, by which messages can be called up and by which amessage subscription is offered. The user electronically fills out aregistration form for the message subscription and enters his creditcard number to pay for the message subscription (block B2). Then, amodification right (ID and K1) is stored via the Internet on the user'scomputer, by means of which modification right a message application canbe installed in the smart card. According to the installation processdescribed above, the message application is then stored in the smartcard as third application. The user then has the possibility; using thesmart card, to call up current messages of the message subscription atany computers with contactlessly communicating terminals. Furthermore, acinema ticket for a visit to the cinema was also included in the messagesubscription. The user can thus present his smart card at a terminal ofa cinema ticket point, whereupon the message application of the smartcard confirms a cinema ticket only once, in the course of contactlesscommunication. This service is possible since the operator of the cinemais collaborating with the operator of the message transmitter.

A transponder, a Personal Digital Assistant, a mobile telephone oranother similar device could also be used as data carrier. Thecontactless communication can take place, for example, in accordancewith one of the published standards ISO14.443, ISO15.693, ISO18.000,ECMA 340 or else in accordance with one of the telephone standards GSMor UMTS.

By means of the granting method according to the invention, the datacarrier according to the invention and the modification device accordingto the invention, in addition to the advantages described above, theessential advantage is obtained that applications can be modified indata carriers that have already been issued to customers, and thusadditional services can be enabled with the data carriers, withouthaving to involve a trust center for this purpose. By avoiding the needfor a trust center, applications can also be modified by modificationdevices operating “off-line” and costs for the trust center can besaved. An interesting business method is obtained by the selling of themodification rights.

1. A granting method to grant a modification device a modification rightto modify an application in a data carrier, wherein the following stepsare carried out: generation of a first key information item and of anassociated second key information item for one or more data carriersidentified by a data carrier identification information item; grantingof the modification right for data carriers identified by the datacarrier identification information item by outputting of the datacarrier identification information item and of the associated second keyinformation item to the modification device; checking of the associationof the first key information item stored in the data carrier with thesecond key information item in the data carrier that was output to thedata carrier by the modification device and, if the result of the checkis positive; allowing of the modification of the application in the datacarrier by the modification device.
 2. A granting method as claimed inclaim 1, wherein the modification right gives the right to installand/or update and/or delete the application in the data carrier.
 3. Agranting method as claimed in claim 1, wherein the modification rightonly gives the right to modify a specific application in the datacarriers.
 4. A granting method as claimed in claim 1, wherein themodification right only gives the right to install an applicationrequiring a predefined maximum amount of storage space in the datacarrier.
 5. A granting method as claimed in claim 1, wherein the datacarrier identification information item identifies a group of datacarriers.
 6. A granting method as claimed in claim 1, wherein themodification right also determines the access rights of the applicationthat is to be modified in the data carrier to storage areas andinterfaces of the data carriers.
 7. A granting method as claimed inclaim 1, wherein the following further steps are carried out: generationof a first master key information item and of an associated secondmaster key information item for one or more data carriers identified bya data carrier identification information item, wherein the modificationof access rights in the data carrier sand/or the generation of furtherkey information items in the data carrier sand the modification deviceis possible only with the first master key information item stored inthe data carrier and only with the second master key information itemstored in the modification devices.
 8. A granting method as claimed inclaim 7, wherein the first master key information item and theassociated second master key information item only make it possible tomodify access rights of a specific application in the data carriersand/or to generate further key information items in the data carriersand the modification device in order to modify a specific application.9. A granting method as claimed in claim 1, wherein modification of theapplication in the data carrier by the modification device of the datacarrier is only permitted when specific properties of the applicationthat is to be modified are determined.
 10. A data carrier for running atleast one application, having at least one interface for the contactlessand/or contact communication of information items, and having computermeans for running the at least one application, where information itemscommunicated via the interfaces or information items stored in the datacarrier are processed, and having storage means for storing a first keyinformation item and an associated data carrier identificationinformation item that identifies the data carrier, and having checkingmeans for checking a modification right of a modification device tomodify an application in the data carrier via the interface, where thechecking means are designed to check the association of the first keyinformation item stored in the storage means with the second keyinformation item output to the data carrier by the modification devices,and having modification means which, following confirmation of themodification right of the modification device by the checking means, aredesigned to enable modification of the application in the data carrierby the modification device.
 11. A data carrier as claimed in claim 10,wherein the checking means are designed to confirm a restrictedmodification right which only gives the right to install and/or updateand/or delete the application, in the data carriers.
 12. A data carrieras claimed in claim 10, wherein the checking means are designed toconfirm a restricted modification right which only gives the right tomodify a specific application in the data carrier.
 13. A data carrier asclaimed in claim 10, wherein the checking means are designed to confirma restricted modification right which only gives the right to install anapplication requiring a predefined maximum amount of storage space inthe data carrier.
 14. A data carrier as claimed in claim 10, wherein thechecking means are designed to confirm a modification right whichdetermines the access rights of the application that is to be modifiedin the data carrier to storage areas of the storage means and interfacesof the data carrier.
 15. A data carrier as claimed in claim 10, whereinthe computer means are designed to run an application formed by a Javaapplet.
 16. A modification device for modifying an application in a datacarrier, having at least one interface for the contactless and/orcontact communication of information items to a data carrier identifiedby a data carrier identification information item, and having storagemeans for storing at least one data carrier identification informationitem that identifies a data carrier, and an associated second keyinformation item, and having computer means for modifying applicationsin data carriers via the interface where, in the course of communicationwith a data carrier identified by a stored data carrier identificationinformation item, the modification right of the modification device isoutput to the data carrier by communication of the second keyinformation item associated with this data carrier identificationinformation item, whereupon, following confirmation of the modificationright by the data carrier, the modification device is authorized anddesigned to modify the application in the data carrier.
 17. Amodification device as claimed in claim 16, wherein the modificationdevice is formed by an operator computer containing the storage meansand by a reading device that is connected to the operator computer overa data network, the reading device comprising the at least one interfaceand at least part of the computer means of the modification devices.